Colin Moriarty PSN Hack Exposes Sony Support Flaw Still Open Six Months On

Something feels broken with PlayStation account security right now, and Sony isn't saying a word about it.

On 18 May 2026, Sacred Symbols podcast host Colin Moriarty announced on X his PSN account had been hijacked, despite having two-factor authentication switched on and his password recently changed. The kicker? He'd been warned hours earlier by another victim: hackers had his information and were coming for him.

"My PSN account was hacked, seemingly as part of an ongoing sophisticated series of moves against both random and 'prominent' users" Moriarty posted on X. Within minutes of the takeover, the hijacked account fired off a threatening message to his co-host Dustin Furman saying "You're next".

Moriarty got his account back inside a few hours. But only because he'd worked at IGN, co-founded Kinda Funny, and had direct contacts inside Sony PR and several first-party studios. He said as much himself. Regular players don't have those tethers.

The exploit nobody is patching

Here's what makes this nasty. Reports first surfaced back in December 2025, when French journalist Nicolas Lellouche from Numerama documented his own PSN hack and was kind enough to befriend the attacker afterwards. Lellouche learned the hacker only needed two scraps of info to convince PlayStation support to hand over his account: his PSN ID and an old transaction number.

Username plus one historic order number, the last four digits of a card, or an invoice ID. Then customer support resets the linked email, 2FA gets nuked alongside it, and the legitimate owner is locked out of years of purchases.

X user @mrpyo1 spelled out the mechanics on 19 May, posting: "Attackers only need your public PSN ID plus one piece of old transaction data, so usually a full order number or the last four digits of a card you used on the account at any point in the past." Sony's internal support tooling, by all accounts, treats those details as proof of ownership.

Six months on, Sony still silent

After Lellouche's first hack in December, Sony reportedly flagged his account as high-risk and promised customer service wouldn't touch it. According to PlayStation LifeStyle, the protection lasted roughly six months before the same hacker walked back in using the same method.

Multiple trophy hunters with public profiles have been hit since. Content creator Genki Gamer says their account was breached and used to buy Robux before refunds kicked in. The pattern is grimly consistent. Victims report a flood of random sign-up emails from services they've never touched (SubStack, EA, AliExpress, Slack), followed by SMS alerts saying their PSN email has been swapped and 2FA disabled. By the time you read those texts, your account is gone.

Sony hasn't said a thing about the support tool, the verification policy, or any patch. The company's existing guidance leans on telling users not to share account details or transaction screenshots online, which sidesteps the real question. Why is one old invoice number enough to bypass a hardware passkey?

Sony's official privacy and security page reiterates standard advice about strong passwords and 2FA. Neither protected Moriarty. The company didn't respond to comment requests from Kotaku or Insider Gaming either.

For a company whose subscription prices keep climbing (PS Plus Essential going up on 20 May, conveniently the same day this story broke wide), the silence reads badly. Critics point back to the 2023 RansomedVC drama and the infamous 2011 PSN outage as evidence Sony has been slow to address account security weaknesses across two decades.

Protecting your account, as much as possible

Honest answer? Sony holds most of the cards here. Until the support workflow changes, no amount of consumer hygiene fully closes the gap. A few practical steps reduce your exposure though:

• Hide your PSN ID. Moriarty had his in his X bio, which made him an easy target. If your handle is plastered across social media, consider scrubbing it.
• Use a unique email for PlayStation sign-in. One you don't share publicly anywhere else.
• Never post screenshots of PS Store purchases or receipts with transaction IDs visible. Old ones included.
• Remove stored payment methods if you don't make frequent purchases.
• Keep 2FA on anyway. Yes, attackers bypass it through support, but every barrier helps against random credential stuffing.

A frustrating list for paying customers, and the burden shouldn't be on you to compensate for a billion-dollar platform's support policy. But here we are.

Players are waiting for two things now: an official Sony statement acknowledging the support verification gap, and an actual policy change so transaction numbers stop functioning as account keys. Neither has arrived. The community has been very loud. The press coverage has been broad. Trophy hunters and creators with active accounts going back over a decade are sweating.

If you've been hit, document everything, contact PlayStation Support, and brace for a long process. As Moriarty himself put it, his swift recovery wasn't typical. Most players don't have direct contacts inside Sony.